Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
firmware.x86_64.elf
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
|
initial sample
|
 |
|
|
/usr/bin/wmugnva
|
ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
|
dropped
|
|
|
|
/var/spool/cron/crontabs/root
|
ASCII text
|
dropped
|
|
|
|
/var/spool/cron/crontabs/tmp.D1HADU
|
ASCII text
|
dropped
|
|
|
|
/var/spool/cron/crontabs/tmp.uUO5d2
|
ASCII text
|
dropped
|
|
|
|
/etc/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (360), with no line terminators
|
dropped
|
||
|
/etc/d
|
ASCII text
|
dropped
|
||
|
/home/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (360), with no line terminators
|
dropped
|
||
|
/mnt/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (360), with no line terminators
|
dropped
|
||
|
/root/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (360), with no line terminators
|
dropped
|
||
|
/tmp/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (8280), with no line terminators
|
dropped
|
||
|
/var/allah_is_prick.html
|
HTML document, ASCII text, with very long lines (360), with no line terminators
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
/tmp/firmware.x86_64.elf
|
/tmp/firmware.x86_64.elf
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "crontab /var/spool/cron/crontabs/root"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/crontab
|
crontab /var/spool/cron/crontabs/root
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "hostname -I"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/hostname
|
hostname -I
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/bin/sh
|
sh -c "crontab /var/spool/cron/crontabs/root"
|
||
|
/bin/sh
|
-
|
||
|
/usr/bin/crontab
|
crontab /var/spool/cron/crontabs/root
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
||
|
/tmp/firmware.x86_64.elf
|
-
|
There are 113 hidden processes, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
51c000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
1109000
|
page read and write
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1105000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
51c000
|
page read and write
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f1c3000
|
page execute read
|
|||
|
41b000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
51f000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1109000
|
page read and write
|
|||
|
7ffd9f152000
|
page read and write
|
|||
|
41b000
|
page execute read
|
|||
|
1109000
|
page read and write
|
There are 192 hidden memdumps, click here to show them.